Flash requests and security

Hi to all!

Anybody works with any flash uploaders? I use Uploadify, but seems it doesn’t matter what kind of one you use.

I need to restrict the upload of the files for all except the authorized users, cause the upload is in admin panel. But I can’t understand why my Yii::app()->user->isGuest checking always return the true. I’m already in admin panel and it returns false for all requests except the flash requests :(

I don’t know the right way for debug the flash requests, because I truly don’t familiar with flash and in firebug console these requests does not displaying. So for check this I just write some data to new created file.

if ( Yii::app()->user->isGuest ) { file_put_contents(‘1.txt’, ‘true’); }

And unfortunately I always see the true there :(

See here. Obviously you have to build a workaround for it to work. Though I know nothing about flash - maybe there’s a much easier solution already.

Thanks for reply.

Do you know the any way for realize it in yii? I tried something like this:

In UserIdentity.php file:


$this->setState('sid', md5(uniqid()));

Then in the index.php view:


<?php $this->widget('ext.uploadify.Uploadify', array(

     'options'=>array(

          ......

          'sessionid'=>Yii::app()->user->sid,

     ),

)); ?>

And in the Uploadify widget view:


'scriptData': {'sessionid': '<?php echo $options["sessionid"]; ?>'},

But if then we check on backend:


if ( $_GET['sessionid'] == Yii::app()->user->sid ) { file_put_contents('c:/1.txt', 'access granted'); }

it doesn’t work. In $_GET[‘sessionid’] we have the right value, but Yii::app()->user->sid variable is undefined and server returns 500 error.

How can I check this workaround otherwise ?

Put this snippet in your index.php entry-script so the correct session-id can be read from cookie when the session-component gets loaded (means when you access Yii::app()->user->…). Otherwise a new session gets created I guess.




if (isset($_GET['sessionid']))

{

   $_COOKIE['sessionid'] = $_GET['sessionid'];

}



Also you have to submit actual session id here:


<?php $this->widget('ext.uploadify.Uploadify', array(

     'options'=>array(

          ......

          'sessionid'=>Yii::app()->session->id,

     ),

)); ?>

Then just do something like:




if (!Yii::app()->user->isGuest) { file_put_contents('c:/1.txt', 'access granted'); }



But in entry index.php script the $_GET[‘sessionid’] is not defined yet and isset($_GET[‘sessionid’]) will return false. It will be defined only after sending the flash request. So the variable Yii::app()->session->id also undefined, bacause session has not been started.

Well when you’re on the upload-page, you have a valid session (isGuest == false). Now when you upload, the flash-script sends a request that does NOT include the valid session (isGuest == true). So in order to have the same session that you had on the upload-page, you have to make sure the correct session-id is in $_COOKIE array by copying it from $_GET to $_COOKIE. Now when the session component gets loaded (eg. when accessing isGuest), it reads the correct session id from $_COOKIE and everything should work (accessing Yii::app()->user-> like usual).

That’s how I understood the issue? Did I missed something?

Ok you are completely right.

I tried to debug this all stuff and what I have got:

In entry script AdminModule.php:


print_r($_COOKIE);

if ( isset($_GET['sessionid']) ) {

	$_COOKIE['sessionid'] = $_GET['sessionid'];

	print_r($_COOKIE);

	exit();

}

At beginning the $_COOKIE array:

Array (

 [PHPSESSID] =&gt; 7d9e26be380c4231416f0be8ab24c68f 


 [7f55e9b3eaa2a57e082b26b9513b76cf] =&gt; 10489a60b3f43654b11dfa1f7b11ff0f4ad4e134a:4:{i:0;i:1;i:1;s:5:&quot;admin&quot;;i:2;i:2592000;i:3;a:1:{s:3:&quot;[b]sid[/b]&quot;;s:32:&quot;[b]28bdda54aedef6c270d23ac112d0f300[/b]&quot;;}} 

)

28bdda54aedef6c270d23ac112d0f300 is the one value that I want to compare.

Then I send the flash request and get:

Array

(

 [PHPSESSID] =&gt; 612aafe184086cab0cc3e5cb04b28eab

)

Array

(

 [PHPSESSID] =&gt; 612aafe184086cab0cc3e5cb04b28eab


 [sessionid] =&gt; [b]28bdda54aedef6c270d23ac112d0f300[/b]

)

The one thing here I can’t understand is that the first print_r return only PHPSESSID and no desired 7f55e9b3eaa2a57e082b26b9513b76cf . So with what should I compare the $_GET[‘sessionid’] value?

Currently the default session name ‘PHPSESSID’ is used, but you use ‘sessionid’ in script. Do:




'components' => array(

   ...

   'session' => array(

      'name' => 'sessionid',

   ),

   ...

),



Then make sure that both requests have the same $_COOKIE[‘sessionid’]. Otherwise the whole thing won’t work at all since Yii::app()->user->sid is actually stored in the session.

This is just the auto-login cookie I think:




[7f55e9b3eaa2a57e082b26b9513b76cf] => 10489a60b3f43654b11dfa1f7b11ff0f4ad4e134a:4:{i:0;i:1;i:1;s:5:"admin";i:2;i:2592000;i:3;a:1:{s:3:"sid";s:32:"28bdda54aedef6c270d23ac112d0f300";}} 



I change the config how you said:


'session'=>array(

	'sessionName'=>'sessionid',

),

Now $_COOKIE is:

Array

(

[PHPSESSID] =&gt; 7d9e26be380c4231416f0be8ab24c68f


[sessionid] =&gt; d24da0f61ef36d5eb36250bb32e6cd46


[7f55e9b3eaa2a57e082b26b9513b76cf] =&gt; 3a1eadcfcf51df73c808a7bf44a2cd70d5cac5eca:4:{i:0;i:1;i:1;s:5:&quot;admin&quot;; ...cutted...

)

But with flash it works as before and $_COOKIE:

Array

(

[PHPSESSID] =&gt; 612aafe184086cab0cc3e5cb04b28eab

)

I know you said in a previous post it works, but can you test on the flash-request if $_GET[‘sessionid’] is correctly set? I don’t think that’s the case because the output




Array

(

[PHPSESSID] => 612aafe184086cab0cc3e5cb04b28eab

)



is missing ‘sessionid’ and it should be set by … $_COOKIE[‘sessionid’] = $_GET[‘sessionid’]; …

However, if $_GET[‘sessionid’] is set correctly, remove the snippet from AdminModule and put it in index.php for testing.

Please tell me what should I do after $_COOKIE[‘sessionid’] = $_GET[‘sessionid’]; ?

On the flash-request, you must make sure $_GET[‘sessionid’] is correctly set. If that’s the case it should get successfully copied to $_COOKIE (as I said please do the copying in the index.php). Then the session component is able to load the same session that you had on the original upload-page. Otherwise a new (empty) session gets created and isGuest will return true of course.

I mean this, put it in index.php just to make sure it gets done as early as possible so everything will work later on:




if (isset($_GET['sessionid']))

{

   $_COOKIE['sessionid'] = $_GET['sessionid'];

}



Before playing around with setState() etc., make sure both requests have the same Yii::app()->session->id.

Thank you very much :)

Everything seems good and I’m also using this approach in my application (with YUI Uploader). But how safe is this approach in terms of security?

Thank you!

Uploadify works with me without anything extra but CSRF is not enabled…

I know it works :) But my question was how secure it is to send cookie data through POST request?

Btw, I have cookie validation enabled and thinking about enabling CSRF prevention.

Withouth CSRF it works with me without cookie data… the sessions stays alive. But i read there are some problems if you use the Suhosin patch in php.

http://www.uploadify.com/forum/viewtopic.php?f=7&t=2585